Threats 101
Ryan Berg
Nov 2015

An Example of Just How Good Phishing Attacks Have Become

Photo by Derek Gavey

It's that time of year when our inboxes that are stuffed along with our turkeys — crammed full of special last-minute offers and holiday discounts to go along with all the usual messages from colleagues and friends. It's an important time to step back and remember that not every email we receive may be exactly what it seems.

Quick stat:
According to email security provider Proofpoint, at various times during 2015, up to 30-40 percent of all unsolicited email was malicious.

What Does a Phishing Attack Look Like in Action?

Many of us may be familiar with phishing — a malicious attempt to acquire sensitive information by mascquerading as a trustworthy source via email, text, pop-up message, etc. — but we still mostly think of it as easy-to-spot spam messages from Nigerian princes. The truth is phishing has evolved to become much more advanced and effective.

Today's phishing messages can look incredibly legitimate, and they can appear to come from sources we know and trust.

Case in point — a message our CEO received that was purportedly from our lawyer:

Phishing attempt directed at Barkly

To the untrained eye, this message looks legit. It wouldn’t be out of the question for our lawyer to be reaching out to our CEO. Luckily for us, our CEO is used to keeping security top of mind and views any email even slightly out of the ordinary with scrutiny. In this case, he thought it was strange our lawyer would be sending him files out of the blue, as that’s something he’s never done before.

Instead of clicking on the download link, he called our lawyer (yes people still use phones to call people) asking him if he had in fact sent it. When our lawyer confirmed that he did not send the message Mike notified our research team, who analyzed the email and determined that it was indeed malicious.

Breaking Down the Phishing Attack

The file the message linked to was cleverly named “Doc_from_[lawyer’s email address].com”. The “.com” is an old extension that can be substituted for .exe on Windows. The file itself was a malware executable with stereotypical malicious characteristics.

This was a clever phishing attack for a variety of reasons:

  • It used a real third party site (www.wetransfer.com) to host the malware.
  • Wetransfer requires no real identity proof and allows anyone to spoof an email. In this case the message from: field was our lawyer's real email address.
  • A casual glance may not have noticed the file was not an actual document (though a slight modification could make this an actual document by using a macro base downloader).

If Mike hadn't been skeptical it wouldn’t have taken much for this to infect his computer. The payload itself wasn’t particularly sophisticated — it was simply a repackaged version of http://www.win-spy.com/. But attacks often don't need to be overly sophisticated or stealthy. It only takes a few seconds of actual processing time to do enough damage that the machine needs to be re-imaged. It often comes down to how quickly something like this is discovered and how quickly it can be contained.

Lessons Learned

As this case shows, phishing is something that we should all be taking seriously. Companies need to invest in proper cybersecurity awareness training to help employees know how to recognize warning signs and exercise caution. Even then, it is very likely that you will have to deal with a successful phishing attack at some point. All it takes is one click.

I would love for more organizations (including my own) to get to a point where email is not used as a file transfer mechanism. With so many better ways to share content today, it’s a lot easier to see that something is out of the ordinary when you have instituted a standard means for sharing content both internally and with your partners (in this case none of us had heard of wetransfer so that in itself was suspicious).

In the meantime, a simple but powerful tip is don’t be so quick to click, especially when handling documents shared or proxied through email.

Ryan Berg

Ryan Berg

Ryan is Chief Scientist at Barkly. He holds multiple patents and is a popular speaker, instructor, and author in the fields of security, risk management, and secure application development.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.